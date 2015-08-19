from the veni-vedi-vici dept.
On Tuesday, Netflix, working in conjunction with Google and CERT/CC, published a security advisory covering a series of vulnerabilities that enable denial of service attacks against servers running HTTP/2 services.
HTTP/2, like earlier versions, governs the application layer of the internet stack; it runs atop the transport layer (TCP), the network layer (IP), and data link layer of the internet. The eight CVEs disclosed do not allow information disclosure or modification, but they could be employed to overload servers.
"Today, a number of vendors have announced patches to correct this suboptimal behavior," the media streaming biz said in its post. "While we haven’t detected these vulnerabilities in our open source packages, we are issuing this security advisory to document our findings and to further assist the Internet security community in remediating these issues."
Seven of the flaws were identified by Jonathan Looney of Netflix, and the eighth (CVE-2019-9518) which was found by Piotr Sikora of Google.
Netflix, which characterized the severity of the flaws as "high," did not name the vendors affected by vulnerable HTTP/2 implementations but CERT/CC has.
(Score: 2) by stretch611 on Friday August 16, @05:16AM
Use this as an excuse for your server problems last night... =)
(Score: 1, Insightful) by Anonymous Coward on Friday August 16, @05:34AM (4 children)
Isn't HTTP/2 a Googlism? Is anybody voluntarily serving over HTTP/2?
(Score: 0) by Anonymous Coward on Friday August 16, @05:35AM (1 child)
HTTP/2 is oldsauce
https://en.wikipedia.org/wiki/HTTP/3 [wikipedia.org]
(Score: 0) by Anonymous Coward on Friday August 16, @07:57PM
Which is also a Googlism.
(Score: 0) by Anonymous Coward on Friday August 16, @05:05PM (1 child)
Google made SPDY. http/2 is just http2 influenced by SPDY, IIRC. i'm running http2. it has moar features!
(Score: 2) by driverless on Saturday August 17, @01:57AM
HTTP/2, a.k.a. HTTP4Google, is a bunch of Google hacks to make it easier for them to serve content to... users? clients? the product? HTTP/3 is a new set of hacks to make things even easier for Google. It's not surprising that a bunch of Google hacks dressed up as a protocol are also full of vulns.